[PATCH] Improve logging for bug 9316
Volker Lendecke
Volker.Lendecke at SerNet.DE
Tue May 24 15:39:40 UTC 2016
Hi!
Review appreciated!
Thanks,
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
-------------- next part --------------
From 1df2b961a48341fcf267921d977f128fd2bec001 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 24 May 2016 15:07:00 +0200
Subject: [PATCH 1/2] samdb: Improve debugging in acl_validate_spn_value()
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source4/dsdb/samdb/ldb_modules/acl.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 2aafc6c..910f9e8 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -521,7 +521,7 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
const char *netbios_name,
const char *ntds_guid)
{
- int ret;
+ int ret, princ_size;
krb5_context krb_ctx;
krb5_error_code kerr;
krb5_principal principal;
@@ -555,7 +555,9 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
return LDB_ERR_CONSTRAINT_VIOLATION;
}
- if (krb5_princ_size(krb_ctx, principal) < 2) {
+ princ_size = krb5_princ_size(krb_ctx, principal);
+ if (princ_size < 2) {
+ DBG_WARNING("princ_size=%d\n", princ_size);
goto fail;
}
@@ -572,21 +574,29 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
if (serviceName) {
if (!is_dc) {
+ DBG_WARNING("is_dc=false, serviceName=%s,"
+ "serviceType=%s\n", serviceName,
+ serviceType);
goto fail;
}
if (strcasecmp(serviceType, "ldap") == 0) {
if (strcasecmp(serviceName, netbios_name) != 0 &&
strcasecmp(serviceName, forest_name) != 0) {
+ DBG_WARNING("serviceName=%s\n", serviceName);
goto fail;
}
} else if (strcasecmp(serviceType, "gc") == 0) {
if (strcasecmp(serviceName, forest_name) != 0) {
+ DBG_WARNING("serviceName=%s\n", serviceName);
goto fail;
}
} else {
if (strcasecmp(serviceName, base_domain) != 0 &&
strcasecmp(serviceName, netbios_name) != 0) {
+ DBG_WARNING("serviceType=%s, "
+ "serviceName=%s\n",
+ serviceType, serviceName);
goto fail;
}
}
@@ -611,6 +621,14 @@ static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
fail:
krb5_free_principal(krb_ctx, principal);
krb5_free_context(krb_ctx);
+ ldb_debug_set(ldb, LDB_DEBUG_WARNING,
+ "acl: spn validation failed for "
+ "spn[%s] uac[0x%x] account[%s] hostname[%s] "
+ "nbname[%s] ntds[%s] forest[%s] domain[%s]\n",
+ spn_value, (unsigned)userAccountControl,
+ samAccountName, dnsHostName,
+ netbios_name, ntds_guid,
+ forest_name, base_domain);
return LDB_ERR_CONSTRAINT_VIOLATION;
success:
--
2.1.4
From 344267140ce2da26a7b9b3bbf3a1f936a1715b14 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl at samba.org>
Date: Tue, 24 May 2016 15:10:14 +0200
Subject: [PATCH 2/2] drsuapi: Improve debug in DsWriteAccountSpn
Signed-off-by: Volker Lendecke <vl at samba.org>
---
source4/rpc_server/drsuapi/writespn.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source4/rpc_server/drsuapi/writespn.c b/source4/rpc_server/drsuapi/writespn.c
index 04a4792..c3bdb3f 100644
--- a/source4/rpc_server/drsuapi/writespn.c
+++ b/source4/rpc_server/drsuapi/writespn.c
@@ -29,6 +29,7 @@
#include "libcli/security/security.h"
#include "libcli/security/session.h"
#include "rpc_server/drsuapi/dcesrv_drsuapi.h"
+#include "librpc/gen_ndr/ndr_drsuapi.h"
#include "auth/session.h"
/*
@@ -232,6 +233,8 @@ WERROR dcesrv_drsuapi_DsWriteAccountSpn(struct dcesrv_call_state *dce_call, TALL
DEBUG(0,("Failed to modify SPNs on %s: %s\n",
ldb_dn_get_linearized(msg->dn),
ldb_errstring(b_state->sam_ctx)));
+ NDR_PRINT_IN_DEBUG(
+ drsuapi_DsWriteAccountSpn, r);
r->out.res->res1.status = WERR_ACCESS_DENIED;
} else {
DEBUG(2,("Modified %u SPNs on %s\n", spn_count,
--
2.1.4
More information about the samba-technical
mailing list